HIPAA compliance: Are you doing your part?

Dental practitioners are constantly reminding their patients about the importance of good hygiene and warning them that failing to diligently brush and floss will lead, sooner or later, to cavities and other problems. But when it comes to practicing good data hygiene, many dental practices are themselves falling short and failing to take the basic precautions needed to keep themselves and their patients safe.

We all know that we have both a moral and a legal obligation to keep our patients’ personal information safe. Under HIPAA rules, every health-care practice is clearly required to take proper precautions to protect patients’ privacy. But the reality is that while every practice pays lip service to the importance of HIPAA compliance, few practices are doing enough to truly keep their data safe.

With potential fines for HIPAA violations reaching $1.5 million—enough to destroy many dental businesses outright—this is a problem that needs solving. So what can dental organizations do to ensure they’re truly HIPAA compliant and that they’re keeping their patients’ data safe?

Not such a big sky

The first thing we need to do is recognize the shortcomings of many practices’ current data infrastructure. Many dental offices do the bare minimum to protect data and simply hope they won’t face any kind of data breach. In aviation, this is called a “big sky” defense—sure, it’d be a disaster if two planes collided, but it’s a big sky, so let’s hope for the best.

The problem is that for dentists, the sky is getting smaller. The days when dentists could simply waive their HIPAA obligations and hope for the best are long gone. Rates of identity theft are soaring,¹ and medical records are targeted nine times more often than financial records.² In fact, medical record theft now takes a $41 billion toll on the US economy.²

With each stolen record costing an average of $141,³ dental practices—which typically store hundreds or even thousands of patient records—could find themselves on the hook for enormous costs over and above any regulatory fines or reputational damage they suffer. Counting on the “big sky” to keep you safe simply isn’t good enough.

Going digital is no defense

Many dental organizations take a low-tech approach to HIPAA compliance, using pen-and-paper records that can’t be targeted by digital attacks. But such an approach isn’t ultimately a safer option than going digital. If your office gets burgled, or if a fire or a flood sweeps through your office, you’re still responsible for your patients’ medical information.

To get around these critical vulnerabilities, many organizations have switched to the use of on-premise servers to store their patient records. But these approaches also bring problems: what if a server or a laptop is stolen? What if the portable hard drive you’re using to back up information gets erased, or goes missing? And what if your servers get hacked or hit by a ransomware attack, or the contractors you hire to maintain your infrastructure fail to do a good job of keeping things secure?

Things get really messy as organizations start to grow. Often, one office will use a pen-and-paper approach, another will use an on-premise solution, and yet another will use an entirely different on-premise system. The weaknesses in such a patchwork approach to data handling aren’t additive, they’re multiplicative—because not only does each data-handling method have its own vulnerabilities, but the interactions between those systems creates countless new vulnerabilities to sensitive data.

Take to the cloud

Fortunately, there’s a better way. Across the health-care system, practitioners and administrators are now switching to record-keeping systems that securely store patient data in the cloud.

The notion is simple. Organizations that use on-premise or self-hosted solutions to store patient data are themselves responsible for the security of that data. Not only are these organizations accepting 100% of the cost of that security, but also 100% of the liability in the event something goes wrong.

In response, leading organizations across a range of industries are now offloading the cost and risk associated with warehousing tens of thousands (or tens of millions) of high-value records to cloud providers such as Google Cloud. Google Cloud Platform (GCP), for example, is FedRAMP certified and maintains a 700+ person security engineering team whose sole focus is to stay ahead of threats and respond immediately, should anything happen.

The world’s largest companies and US government agencies, including the Department of Defense, trust cloud providers like GCP to protect their data. Can you say the same about your in-house or third-party IT resources?

Of course, you can’t simply outsource your HIPAA obligations. Even with a cloud provider, you’ll need to make sure your office staff are well trained, that your passwords are secure, and that your communication policies and record-handling processes are performed effectively. But partnering with a cloud provider does reduce the burden of HIPAA compliance to a more manageable and cost-effective level.

Time for a data checkup

Much like forgetting to floss, waiving your HIPAA obligations can be a shortsighted and costly mistake. Much like skimping on your dental hygiene, cutting corners when it comes to patient records might not seem like a big deal until it’s too late to put things right. The key, of course, is to take preventive action now, and to build out a robust data handling system before things go wrong.

So if you’ve been cutting corners or relying on the “big sky” defense to keep your practice and your patients safe, it’s time for some honest self-reflection. Give your organization’s data hygiene a long, hard look, and then start looking for a cloud solution that can keep your patients’ records safe without holding back your organization’s growth and profitability.

Editor's note: This article appeared in the July 2022 print edition of Dental Economics magazine. Dentists in North America are eligible for a complimentary print subscription. Sign up here.

References